Step 4. Enable Data Encryption

In this article

    At the Options step of the wizard, choose whether you want to encrypt backup files stored in the selected Amazon S3 bucket folder.

    Important

    If you have chosen an existing folder at the Settings step of the wizard, and if encryption is enabled for this folder at the repository level, you must provide the currently used password or encryption key to let Veeam Backup for AWS access this folder and add it as a backup repository. You cannot change encryption settings while adding the repository. However, you will be able to edit the repository settings later.

    To enable encryption for the backup repository, do the following:

    1. Click Edit Encryption Settings.
    2. In the Encryption settings window, set the Enable encryption toggle to On.
    1. Choose whether you want to use a password or an AWS Key Management Service (KMS) key to encrypt the backed-up data.  For more information on encryption algorithms, see Backup Repository Encryption.
    • To use password encryption, select the Use password encryption option, and specify a password that will be used to encrypt data.
    • To encrypt data using AWS KMS keys, select the Use KMS encryption key option and choose a KMS key from the Encryption key drop-down list. For a KMS key to be displayed in the list of available encryption keys, it must be created in the AWS Region where the selected Amazon S3 bucket is located and the IAM role specified to access the bucket must have permissions to the key. For more information on permissions required for the IAM role, see Repository IAM Role Permissions. For more information on KMS keys, see AWS Documentation.

    Important

    If you select to use AWS KMS keys for encryption on the repository level, mind the following:

    • Only symmetric KMS keys are supported.
    • Do not disable KMS keys used to encrypt repositories, otherwise Veeam Backup for AWS will not be able to encrypt data, and backup policies that use encrypted repositories for storing backups will fail.
    • Do not delete KMS keys used to encrypt repositories, otherwise Veeam Backup for AWS will not be able to decrypt data stored in these repositories.

    If a KMS key is scheduled for deletion, it acquires the Pending deletion state. In this case, Veeam Backup for AWS will rise the warning, and, during the following 7 days, you must either change the encryption settings for the backup repository in Veeam Backup for AWS or cancel the key deletion.

    For more information on disabling and deletion of KMS keys, see AWS Documentation.

    Step 4. Enable Data Encryption